The ELK stack consists of Elasticsearch, Logstash, and Kibana that many companies are using to centralize their valuable data. These are the three different open source products that are most commonly used in log analysis in IT environments. The ELK Stack is popular because it fulfils a need in the log analytics space. The ELK stack makes it way easier and faster to search and analyze large data sets when the blazing-fast analytics grow larger. We can say that ELK is quite versatile, we can use the stack as a stand-alone application, or integrate with existing applications to get the most current data. With Elasticsearch, you get all the features to make real-time decisions-all the time. You can use each of these tools separately, or with other products.

Logstash collects and parses logs for future use, then Elasticsearch indexes and stores the information. Kibana then presents the data in visualizations on a web interface that provide actionable insights into one’s environment. The ELK stack allows identification of issues that span multiple servers by correlating their logs during a specific time frame. That makes the centralized logging very useful when attempting to identify problems with your servers or applications that allows searching through all logs in a single place.

System Resources

In this article we will be using Ubuntu 14 with 2 GB RAM , 1 CPU and 20 GB of free disk space on test server. You can increase your resources depending upon the volume of logs in your infrastructure. Let’s access your Ubuntu server and create non-root sudo user to perform the installation step.

First of all, in order to make sure that your system is updated, run the following command to install missing patches and security updates.

$ sudo apt-get update

Installing JAVA Oracle 8

Before moving towards the installation of ELK, we need to install JAVA because of the basic requirement to run Elasticsearch and Logstash. So, we are going to install Java Oracle 8 but you can also install OpenJDK if you don’t want Oracle.

To install Java Oracle 8 on Ubuntu 14.04, first you need to add its PPA repository to ‘apt’ and you need to update your system once again.

After the system update you are now able to install Oracle JAVA 8 using the following command.

$ sudo apt-get -y install oracle-java8-installer

In order to install this package, you must accept the license terms, the Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX. Not accepting will cancel the installation.

Once the installation is complete, you will have Oracle JAVA 8 installed on your system. You can check its successful installation using the command below to find the installed JAVA version.

$ java -version

Installing Elasticsearch

To start the installation of Elasticsearch, first you need to add its repositories from their official website http://elastic.co to download and install its Public Signing Keys for Elasticsearch. So, run the following command to import the Elasticsearch public GPG key into apt and then create the Elasticsearch source list before updating your system as shown.

Now execute the command to install Elasticsearch using ‘apt-get’ command.

$ sudo apt-get -y install elasticsearch

Once the package is installed, we will configure it to restrict its outside access to Elasticsearch instance on port 9200, so outsiders can’t read your data or shutdown your Elasticsearch cluster through the HTTP API.

$ sudo vi /etc/elasticsearch/elasticsearch.ymlnetwork.host: localhost

To install, it is possible to use Logstash to gather logs of all types, but we will limit the scope of this tutorial to syslog gathering.

Save the configuration, save to start Elasticsearch and configure it to start on boot up using the following command.

Installing Kibana

After successful installation of Elastciseach, now we are going to install Kibana. Let’s run the following command to add Kibana package to the source list using package manager then update using system with the following commands.

After system update run the following command to install Kibana on Ubuntu 14 and then configure it to make it only accessible from localhost by updating its default configuration file using any of your editor. To allow external access we will be installing Nginx Reverse proxy, on the same server.

Close the file after saving the configuration file and run the following command to enable it on boot up and then start its service.

$ sudo update-rc.d kibana defaults 96 9$ sudo service kibana status

Installing NGINX

Now we have to set up a reverse proxy using Nginx before we can use the Kibana web interface and to allow external access to it, because we had configured Kibana to listen on localhost. Let’s run the following command using ‘apt’ to install Nginx and Apache2-utils.

$ sudo apt-get -y install nginx apache2-utils

To access the Kibana web interface we will use ‘htpasswd’ command to create an admin user like ‘kadmin’, you can choose any user and setup its password on the next prompt after running the below command.

$ sudo htpasswd -c /etc/nginx/htpasswd.users kadmin

Then open the Nginx default server configuration file in your favorite editor to make the following changes that will configure Nginx to direct your server’s HTTP traffic to the Kibana application listening on localhost:5601. Nginx will also be used as the htpasswd.users file, that we created earlier, and require basic authentication.

$ sudo vi /etc/nginx/sites-available/default

After saving changes restart Nginx service to put our changes into effect using the following command that gives you OK status meaning your Nginx is working fine.

$ sudo service nginx restart

Now If you open a web browser, after entering the “kadmin” credentials, you should see a Kibana welcome page which will ask you to configure an index pattern. But we’ll get back to that later, after installing all of the other components.

Installing Logstash

The installation of Logstash will be used to centralize the data processing of logs and other events from other sources. Get the Logstash Installation package by adding it to the source list.

Generating SSL Certificates

We are going to use Logstash Forwarder to ship logs from our Client Servers to our Logstash Server. So we need to create an SSL certificate and a key pair. Whereas the certificate is used by the Logstash Forwarder to verify the identity of Logstash Server.

Run the below commands to create the directories that will store the certificate and private key.

$ sudo mkdir -p /etc/pki/tls/certs$ sudo mkdir /etc/pki/tls/private

Now generating your SSL certificates. If you have a DNS setup that will allow your client servers to resolve the IP address of the Logstash Server user your FQDN, else, you can use your IP address. You will have to add your Logstash Server’s private IP address to the subjectAltName (SAN) field of the SSL certificate that we are about to generate.
To do so, open the OpenSSL configuration file and find the [ v3_ca ] section in the file to add following line under it that consists of Logstash Server’s private IP address.

This generated logstash-forwarder.crt file will be copied to all of the servers that will send logs to Logstash that we will be doing later on after Logstash configuration.

Configuring Logstash

Logstash configuration files reside in ‘/etc/logstash/conf.d’ directory in the JSON-format which consists of three sections that is inputs, filters, and outputs.
Let’s create a configuration file called ’01-lumberjack-input.conf’ and set up our “lumberjack” input which is the tcp protocol listening to port ‘5043’ that Logstash Forwarder uses by adding the following contents in it.

After this create a configuration file where we will add a filter for syslog messages called ’10-syslog.conf’ and put the following syslog filter contents that will look for logs labeled as “syslog” type (by a Logstash Forwarder), and it will try to use “grok” to parse incoming syslog logs to make it structured and query-able.

Now create one more configuration file called ’30-lumberjack-output.conf’ and put the following output configurations that basically configures Logstash to store the logs in Elasticsearch. After this configuration Logstash will also accept logs that do not match the filter, but the data will not be structured and appear as flat messages like source IP addresses, served files, etc.

This will configure Logstash Forwarder to connect to your Logstash Server on port 5043 (the port that we specified an input for earlier), and uses the SSL certificate that we created earlier. Now go under files section and add the following lines.

The paths section specifies which log files to send, and the type section specifies that these logs are of type “syslog*. Now save and quit file using ‘:wq!’ and restart Logstash Forwarder to make our changes effective.

$ sudo service logstash-forwarder restart

Logstash Forwarder service is working fine and sending ‘syslog’ and ‘auth.log’ to the Logstash Server. You can repeat this section for all of the other servers that you wish to gather logs.

Connecting to Kibana

After setting up Logstash Forwarder on the client servers, now look at Kibana’s web interface that we installed earlier. Go to the FQDN or IP address of your Logstash Server on a web browser. After giving the “kadmin” credentials, you will see a page prompting you to configure an index pattern as shown in the image below.

http://your_servers_ip:5601/

Index patterns are used to identify the Elasticsearch index to run search and analytics against. They are also used to configure fields. Kibana makes an educated guess on your index and time field names, so selecting “Create” here will get you started. Now if you click the ‘Discover’ link at the top of the navigation bar, that will show you all of the log data over the last 15 minutes. Similarly, you add multiple index patterns and then customize your dashboard settings to visualize your centralized log server.

Conclusion

In this article you have learned the complete installation settings and configurations of ELK stack on Ubuntu 14 with an addition Logstash Forwader installation on Ubuntu 15 client server. There are a couple of plugins available that you can choose and install, of your own choice, to use ELK on your web browser. So now the journey with Centralized Logs Server has been started, there are a still couple of things to do for gathering and filtering the specific logs to create our customized dashboards. We hope you have found this article helpful. Don’t forget to leave us your comments or contact us in case of any difficulty.